helm-charts
helm-charts copied to clipboard
jaegertracing
[Bug]: would like to disable cert-manager, but I still check Cert when starting the service
What happened?
I am deploying the jaeger-operator1.47.0 through helm-charts1.46.0 and would like to disable cert-manager as we have our own TLS service. But I disabled them in Value, but I still check Cert when starting the service. May I know how to handle this change?
Disable webhooks and certificates via values.yaml
certs:
issuer:
create: false
name: ""
certificate:
create: false
namespace: ""
secretName: ""
issuerKind: Issuer
webhooks:
mutatingWebhook:
create: false
validatingWebhook:
create: false
port: 9443
service:
annotations: {}
create: false
name: ""
Expected behavior
I disabled them in Value, but I still check Cert when starting the service. May I know how to handle this change?
Relevant log output
Warning FailedMount 50s (x10 over 5m) kubelet MountVolume.SetUp failed for volume "cert" : secret "jaeger-operator-service-cert" not found
Warning FailedMount 42s (x2 over 2m57s) kubelet Unable to attach or mount volumes: unmounted volumes=[cert], unattached volumes=[cert kube-api-access-7bkf8]: timed out waiting for the condition
Version (please complete the following information):
helm-charts1.46.0 jaeger-operator1.47.0 Kubernetes v1.23 liunx
helm install jaeger jaeger-operator -n observability
@czomo @mjnagel ,I am deploying Jaeger-operator 1.47 through helm-chart 1.46 and I would like to disable certificate manager as we have our own TLS platform. is it feasible? During deployment, it was found that even if valus is set to false, pod startup still looks for certs, resulting in pod startup failure.
solution:
cat <<EOF | cfssl genkey - | cfssljson -bare server
{
"hosts": [
"kubernetes.default.svc.cluster.local",
"10.96.0.1"
],
"key": {
"algo": "ecdsa",
"size": 256
}
}
EOF
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: kubernetes.default
spec:
request: $(cat server.csr | base64 | tr -d '\n')
signerName: example.com/serving
usages:
- digital signature
- key encipherment
- server auth
EOF
2.1) kubectl certificate approve test-kube-api
cat <<EOF | cfssl gencert -initca - | cfssljson -bare ca
{
"CN": "My Example Signer",
"key": {
"algo": "rsa",
"size": 2048
}
}
EOF
echo "
{
"signing": {
"default": {
"usages": [
"digital signature",
"key encipherment",
"server auth"
],
"expiry": "876000h",
"ca_constraint": {
"is_ca": false
}
}
}
}
" >> server-signing-config.json
kubectl get csr kubernetes.default -o jsonpath='{.spec.request}' | \
base64 --decode | \
cfssl sign -ca ca.pem -ca-key ca-key.pem -config server-signing-config.json - | \
cfssljson -bare ca-signed-server
kubectl get csr kubernetes.default -o json | \
jq '.status.certificate = "'$(base64 ca-signed-server.pem | tr -d '\n')'"' | \
kubectl replace --raw /apis/certificates.k8s.io/v1/certificatesigningrequests/kubernetes.default/status -f -
kubectl get csr kubernetes.default -o jsonpath='{.status.certificate}' \
| base64 --decode > server.crt
kubectl create secret tls jaeger-operator-service-cert --cert server.crt --key server-key.pem
